That really does sound a bit extreme even for a cynic – but it’s a question that is being seriously asked and needs a serious answer. It came to a head earlier this week when Zeit Online published a story suggesting that various federal German agencies had come to the conclusion that Windows 8 is not safe for use by government.
We need to put this into context with two technologies: UEFI and TPM. The Unified Extensible Firmware Interface (UEFI) is a specification that is meant to replace the Basic Input/Output System (BIOS) firmware interface on PCs. It provides many advantages over the original BIOS, but more pertinently here, it can be used to provide ‘secure boot’. Microsoft has come in for some serious criticism over implementing UEFI secure boot on Windows 8 – sufficient criticism for a Spanish open source group, Hispalinux, to level a complaint against Microsoft with the European Union for anti-competitive behaviour. Much of that criticism has died down as it has become clear that serious power users can get round it. However, implemented to its full potential it could enforce an Apple-like walled garden around non-Microsoft manufactured PCs.
TPM – trusted platform module – is a separate issue. This is a chip that controls what can and what cannot run on your computer. It can indeed provide additional security, since if only known good software is allowed to run, then any bad software (viruses and trojans and worms and so on) cannot easily run (never say never!). And there isn’t really an issue, since if you don’t want it, you can just turn it off.
Enter TPM version 2; which is what has upset the German government agencies. Microsoft intends to employ it with Windows 8. Windows 8 will be delivered with TPM 2.0 turned on, and no way to turn it off. But for new versions of Office or completely new Microsoft software, Microsoft clearly needs to be able to bypass TPM – and it has its own key to do so. The user does not have a key to do so.
And this is where the NSA comes in. Given everything we have learned about the NSA over the last few months, does anyone really believe that Microsoft will not willingly or at best under secret coercion be forced to give those same keys to the NSA and probably the FBI as well?
Some of us may even remember the NSAKey discovered in Windows NT by Andrew Fernandes in 1999. At the time, Microsoft denied the key had anything to do with the NSA, but frankly only the gullible believed them, and most people accept that it has been present in every version of Windows ever since. Anybody who believes that Microsoft and the NSA don’t go hand in hand is living in cloud cuckoo land under heavy surveillance.
The problem is that with access to a TPM 2 key that is always on, the NSA or the FBI or both could come and go at will with no-one being any the wiser. Which is exactly how they like to operate.
So how likely is all this? Professor Ross Anderson from Cambridge University wrote back in October 2011,
We’ve also been starting to think about the issues of law enforcement access that arose during the crypto wars and that came to light again with CAs. These issues are even more wicked with trusted boot. If the Turkish government compelled Microsoft to include the Tubitak key in Windows so their intelligence services could do man-in-the-middle attacks on Kurdish MPs’ gmail, then I expect they’ll also tell Microsoft to issue them a UEFI key to authenticate their keylogger malware.
And if the Turkish government can do that, what could the US government do?
I asked him what he thought now, and whether Windows 8 really is dangerous for governments. He said,
Non-US governments had better think carefully about their policy on all this. Until now you could grab the Linux source, go through it, tweak it till you were happy, recompile it and issue it to officials in your ministry of defence. Serious players like China even sent engineers to Redmond to inspect the copy of Windows that would be sold in their country. But most states don’t have enough competent engineers to do that.
Microsoft’s demand that the industry configure all Windows-branded machines so they’ll only boot signed operating systems will make life significantly harder for medium-sized non-aligned governments. And now that Microsoft’s admitted making NSA access easier, the idea of using COTS Windows is not emotionally compatible with the existence of large pampered signals intelligence bureaucracies, even if there isn’t a reasonable engineering alternative.
And so we return to the original question: is Windows 8 an NSA trojan? Yes. Microsoft and the NSA and the Obama administration will, of course, deny it. And the NSA — post Snowden — may never even use it. But that doesn’t alter the fact that the capability exists and could be used. A nuclear weapon is no less a nuclear weapon just because it hasn’t been used. And Windows 8 is an NSA trojan.
My news stories on Infosecurity Magazine, Friday 2 March:
“ACTA’s harm greatly exceeds its potential benefits…”
Yesterday the Directorate General for External Policies at the European Parliament held a workshop on the The Anti-Counterfeiting Trade Agreement (ACTA).
02 March 2012
Compromised websites leading to banking malware
M86 Security is warning that recent spam campaigns are luring victims to compromised websites that redirect to malicious Phoenix-hosting sites, which in turn seek to infect the visitor with the Cridex trojan.
02 March 2012
The ten most important security events and issues from 2011, and what they presage for the future
Kaspersky Lab’s analysis of the ‘evolution of malware’ during 2011, from the rise of hacktivism to the emergence of Mac malware; and the consequent lessons for the future.
02 March 2012
Last week’s news stories (Jan 30 to Feb 3):
Security researchers break satellite phone encryption
German researchers have cracked 2 satellite phone encryption codes – huge implications.
EU publishes 10 Myths about ACTA
EU says ACTA ain’t bad, just misunderstood.
VeriSign repeatedly hacked in 2010
VeriSign was repeatedly hacked in 2010, and never even told its own senior management.
Science and Technology Committee publishes Malware and Cyber Crime report
Commons committee makes recommendations on how to tackle cybercrime.
New development in post-transaction banking fraud
Banking malware now seeks to divert telephone calls between banks and customers.
Counterclank is not malware, just aggressive adware
Contrary to Symantec’s initial claim, Android’s Counterclank (Apperhand) is not a trojan.
Major UK companies still not blocking porn namesakes
UK companies remain open to cybersquatting by YourBrandName.xxx
New Forrester Report: Big Data Risks
Forrester describes how to secure Big Data.
Resilience is the key to security says World Economic Forum
WEF suggest an holistic view of resilience to risk rather than an isolated view of prevention.
A call for a new standard in infosec training and awareness
We need a new standard to improve security awareness in users.
IE6 users: no longer caught between a rock and a hard place
A new product allows legacy IE6 applications to run in new versions of the browser.
75% of all new malware are trojans
PandaLabs 2011 report is full of facts, figures and information.
Spam and phishing are growing problems: DMARC has the answer
A new standard is being developed to help stop spam and phishing.
CSO Interchange: Cloud concerns are largely propaganda
Misunderstandings about the cloud make it seem a problem rather than an opportunity.
Up to five million Androids infected with Counterclank
Android’s largest ever infection reported by Symantec.
I’m not behind Kelihos botnet, claims Sabelnikov
Man named by Microsoft says I didn’t do it, guv.
Rogueware, which is malware that pretends to be legitimate anti-virus software, is one of the biggest threats we currently face. Inherent in all rogueware is a hidden warning: if you don’t buy our software, you will continue to suffer from viruses and trojans. It’s a short step from the ‘buy our product for your security’ warning, to a ‘buy our product or else’ extortion.
But now the ‘threat as a by-product’ is morphing into pure blackmail: ransomware. It’s been around for a few years, but a recent Kaspersky blog highlights the return of GpCode-like ransomware, which makes no pretence to being legitimate: it encrypts your files and won’t let you have them back unless you pay a ransom.
We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008…
As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive.
With the earlier versions Kaspersky managed, in some cases, to recover the data as well as remove the trojan. This time it’s more difficult. David Emm, senior security researcher at Kaspersky Lab, explained the basis of ransomware, and the difference between the earlier version and this new ransomware; and in particular why this new version is more dangerous.
“The GpCode trojan is one of the main examples of ransomware. It is code used to extort money from people. The way it works is to encrypt files on the computer: documents, presentations, spreadsheets, anything really. It encrypts them and then either pops up a message on the screen, or maybe just writes a text file to the disk, so that when the user notices he cannot access something, then he gets the message. It says something like ‘I’ve encrypted your data, and if you want to get it back, you’ll need to decrypt it; and that means sending me an email message.’ So you send the email message to the address given, and then whoever it is replies, ‘Right, well I can soon fix that and decrypt everything, but it will cost you…’
“The Trojan encrypts your files with 1024-bit RSA and AES 256 cryptography,” he said, both of which are pretty well uncrackable. “In the older versions, the code encrypted the files, and then deleted the originals. We didn’t crack the cryptography, we managed to recover the deleted files. So we could remove the trojan and recover the files. But this new version doesn’t work like that; and we haven’t yet found a way to recover any lost data.”
His advice is unchanged. “Their MO is that they prey on someone who is vulnerable – extortion, online or offline, always works like this – and the vulnerability in this case is that you don’t have a back-up of your data. So if you haven’t got back-up, and you find you cannot access your files, or you get a pop-up message or email telling you that payment of £10, €20, $50 or whatever will get you a decryption method, turn off your computer immediately and contact a reputable anti-virus company.” The more you use your system, the more unlikely it is that any deleted files can be recovered. The old method of recovery doesn’t work with this new ransomware; but the AV and data recovery companies might yet find an alternative solution.
Cure, of course, is never as good as prevention. “It’s the small businesses and home users that are going to suffer,” David explained. “In a medium-sized business or larger, anyone who gets infected can just go to the IT guys, and they’ll rebuild the system and data from the company back-ups. But small businesses and home users often don’t have any backup. And restoring from backup is the only way you can guarantee to get encrypted files back.”
Don’t wait to get caught by ransomware. If you do, it may be too late and your only choice will be to pay the criminals or lose your data. You need to
- behave securely in cyberspace to avoid infection
- and use mainstream anti-virus to minimize infection
- and get adequate backup to recover from infection
- else contact a mainstream anti-virus company in the event of infection.
Do not just rely on the last of these.
Over the last couple of days we have been hearing news about the seizure of more than 100 servers by the Dutch police. These servers were involved in the control of a huge number of Bredolab bots; so this can only be seen as a Good Thing.
However, the problem with taking down Command & Control servers is that it leaves the botnet itself in place. It can spring to life again when the criminals set up new C&C servers. So the real solution is to find and cleanse the bots themselves.
Well, the Dutch police attempted to do just this. With help from the Dutch Infosec company Fox-IT and the ISP LeaseWeb, the authorities uploaded their own code – effectively their own trojan – to the infected PCs. The payload is obviously benign. It simply sends the users to a Dutch Police page that explains that they are infected, and provides a link to information on removing the infection. By removing the bots rather than just the servers, the botnet is well and truly dismantled.
Well, I know nothing about Dutch law. But notice that the landing page is in English (there is, of course, also a Dutch version). It is perfectly clear, then, that the Dutch authorities were well aware that they would be ‘infecting’ PCs outside of The Netherlands – and quite likely some in the UK. So, for people in the UK, we are able to look at this from a UK point of view, and not just a Dutch point of view.
And what I want to know is whether the Dutch police action is legal, and/or acceptable. Most people in the security industry will automatically say it is acceptable. After all, it is their job to protect us, and this is a good way of going about it. And the security industry has been ‘infecting’ command and control servers for years – so this is just a small expansion from the servers to the bots. But I’m not so sure it is acceptable – and I’m pretty certain that in the UK it is illegal: that is, the Dutch authorities have broken UK laws if they have infected any UK PCs.
I asked leading lawyer Nicholas Bohm for his view. “Infecting a computer with a trojan would involve offences under the Computer Misuse legislation,” he explained, “unless carried out with some form of lawful authority. In the UK this is available under Part III of the Police Act 1997 (as amended). Authority may be given by chief constables, and others of equivalent rank.
“These powers were primarily introduced to cover the installation of viewing or listening devices in the premises or vehicles of suspects, but they seem to me capable of extending to planting trojans, keystroke loggers etc.”
Yaman Akdeniz, Associate Professor of Law, Faculty of Law, Istanbul Bilgi University, and Director, Cyber-Rights.Org, has similar concerns under the Computer Misuse Act: “Well, there is no ‘good hacker’ or ‘ethical hacker’ defence built into the Computer Misuse Act 1990, nor into the provisions of the Council of Europe CyberCrime Convention for example. So, whatever their intentions are, the access by the Dutch Police into the infected PCs of computer users would be unauthorised in the UK.
“On top of that their ‘modification’ of the content of the infected PCs can also be regarded in breach of the CMA 1990. So, from a legal point of view I find this approach problematic. What if they damage the computers? One may argue that the damage is already done with the initial infection but the access remains unauthorised whether by the bad guys or the good guys.”
So, on balance, the CMA forbids the covert installation of trojans, even if with the best of intentions by the good guys, but could be overridden by ‘chief constables, and others of equivalent rank’ under the Police Act 1977. But Bohm doesn’t believe that the Dutch police behaviour is automatically or necessarily bad. “Some such powers seem to me necessary, just as search warrants are. But I would rather see them controlled judicially – I am unconvinced by the use of retired judges as commissioners to supervise them, and would prefer the decisions involved to be subject to judicial review.”
It seems to me, then, that the Dutch police have broken UK law if they have uploaded their friendly trojan to any UK PCs; and have probably broken other laws all round the world. Judicial oversight may make such behaviour more acceptable; but without it, it should be abhorred. Accepting such behaviour from the authorities, who will always say ‘it is for your own good’ is a dangerous step. Every software developer in the world is aware of the dangers of ‘feature creep’. This sort of behaviour by the authorities is equally subject to feature creep – otherwise known as the slippery slope into authoritarianism.
James Wyke at SophosLabs UK has an interesting post about Zbot samples (aka the Zeus Crimeware Kit) that defy analysis.
…these Zbot samples have been crafted to ensure that they only work when executed on one specific machine and from one specific path. Any attempt to execute the sample on a different machine or from a different path will result in early termination of the malware and no impact on the target system.
James then describes how it is done, concluding
So when the malware sample is discovered on the machine and sent off for analysis it will be executed on a new machine and generate a new GUID based on different hardware and OS information, which will fail the comparison and result in a sample that does nothing, causing AV researchers to scratch their heads and wonder what’s going on.
I was just beginning to think that techniques like this could perhaps be used by rightsholders to protect their rights, when he adds
This sophisticated technique is very similar to hardware based licensing systems employed by major software companies to protect their products from piracy. But until now I had not seen the technique used to protect malware binaries from analysis.
So tell me this: if cybercriminals can target their trojans to run on one computer and one computer alone, how come the entertainment industry needs the full weight of international treaties and draconian laws to stop their files being run on more than one computer?